Restrict Generic Logins

M

matt

For some of our PCs, we use generic logins in which every user of the PC
signs in with the same username and password.

Quite often, users will sign on to these PCs with an Active Directory
account other than the generic one. As a result, configuration of the
desktop, printers, IE, and other programs are incorrect and users can't use
the programs they are supposed to use.

The network administrator and I have discussed implementing a policy setting
to restrict these PCs by allowing only administrators and the generic
account the logon local privilege - preventing users from signing on with
other accounts.

Since the default domain policy grants the Everyone group the logon local
privilege, we will have to apply this setting at the Active Directory level
rather than on the local PC.

Each PC will need its own policy because the generic account is different
for each PC. We will link these policies to a high level OU and then grant
access on each policy to only the PC account involved.

If anyone has suggestions or comments on this, let me know. If you have a
better way, I would be curious. Also, if you know of a way of doing it with
a single GPO, that would be helpful, too. Please note that we realize
generic accounts aren't the best way of doing things, but for the time being
we would like to solve this problem without getting rid of generic accounts.
Also, we are presently restricting the generic login to its corresponding PC
(Active Directory setting). The question at hand is restricting the PC to
the corresponding generic login.

Thanks,

Matt
 
S

Steven L Umbach

In a default installation of Windows 2000 there are no user rights assigned
at the domain level, only in Domain Controller Security Policy. If you do
have it configured at the domain level you can undefine that user right and
run secedit /refreshpolicy machine_policy /enforce on the domain controller
and do the same on the domain member computers, wait for policy to propagate
[up to a couple of hours] or reboot them. The you should be able to
configure Local Security Policy on those computers and it will become their
effective policy for user rights for logon locally. I don't think it will
help in your situation but you can configure any user account in AD Users
and Computers to restrict the computer that a domain user can logon to. ---
Steve
 
C

columbus

Hi Matt,
Not 100% sure what you are trying to do but what you can have a look a
is to create a GPO for that container and block the in heritance of th
Default Domain Group Policy and then under the GPO specify what right
needs to be applied.

Hope it helps
*For some of our PCs, we use generic logins in which every user o
the PC
signs in with the same username and password.

Quite often, users will sign on to these PCs with an Activ
Directory
account other than the generic one. As a result, configuration o
the
desktop, printers, IE, and other programs are incorrect and user
can't use
the programs they are supposed to use.

The network administrator and I have discussed implementing a polic
setting
to restrict these PCs by allowing only administrators and th
generic
account the logon local privilege - preventing users from signing o
with
other accounts.

Since the default domain policy grants the Everyone group the logo
local
privilege, we will have to apply this setting at the Active Director
level
rather than on the local PC.

Each PC will need its own policy because the generic account i
different
for each PC. We will link these policies to a high level OU and the
grant
access on each policy to only the PC account involved.

If anyone has suggestions or comments on this, let me know. If yo
have a
better way, I would be curious. Also, if you know of a way of doin
it with
a single GPO, that would be helpful, too. Please note that w
realize
generic accounts aren't the best way of doing things, but for th
time being
we would like to solve this problem without getting rid of generi
accounts.
Also, we are presently restricting the generic login to it
corresponding PC
(Active Directory setting). The question at hand is restricting th
PC to
the corresponding generic login.

Thanks,

Matt
Click to expand...


-
columbu
 
M

matt

Wouldn't it be better to still configure the Security Policy from AD rather
than on the local machine?

As I mentioned, I have already restricted the computer that a domain user
can logon to, but I'm trying to do the opposite; I want to restrict a
computer to only allow a certain domain user access.


Steven L Umbach said:
In a default installation of Windows 2000 there are no user rights assigned
at the domain level, only in Domain Controller Security Policy. If you do
have it configured at the domain level you can undefine that user right and
run secedit /refreshpolicy machine_policy /enforce on the domain controller
and do the same on the domain member computers, wait for policy to propagate
[up to a couple of hours] or reboot them. The you should be able to
configure Local Security Policy on those computers and it will become their
effective policy for user rights for logon locally. I don't think it will
help in your situation but you can configure any user account in AD Users
and Computers to restrict the computer that a domain user can logon o. ---
Steve


matt said:
For some of our PCs, we use generic logins in which every user of the PC
signs in with the same username and password.

Quite often, users will sign on to these PCs with an Active Directory
account other than the generic one. As a result, configuration of the
desktop, printers, IE, and other programs are incorrect and users can't
use the programs they are supposed to use.

The network administrator and I have discussed implementing a policy
setting to restrict these PCs by allowing only administrators and the
generic account the logon local privilege - preventing users from signing
on with other accounts.

Since the default domain policy grants the Everyone group the logon local
privilege, we will have to apply this setting at the Active Directory
level rather than on the local PC.

Each PC will need its own policy because the generic account is different
for each PC. We will link these policies to a high level OU and then
grant access on each policy to only the PC account involved.

If anyone has suggestions or comments on this, let me know. If you have a
better way, I would be curious. Also, if you know of a way of doing it
with a single GPO, that would be helpful, too. Please note that we
realize generic accounts aren't the best way of doing things, but for the
time being we would like to solve this problem without getting rid of
generic accounts. Also, we are presently restricting the generic login to
its corresponding PC (Active Directory setting). The question at hand is
restricting the PC to the corresponding generic login.

Thanks,

Matt
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain Users Logon 2
Minimum password length 2
Deny Simultaneous Logins to All Users EXCEPT Admin? 4
Redircted Folders intermittent problems 1
Exclude accounts from password policy 4
Enable Password Policy question 1
USB-stick not in explorer when domain-user 2
ADMT and Local User Rights Assignment Policy 1

Top